2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-s_server - SSL/TLS server program
10 B<openssl> B<s_server>
23 [B<-serverinfo> I<val>]
24 [B<-certform> B<DER>|B<PEM>]
26 [B<-keyform> B<DER>|B<PEM>]
29 [B<-dcertform> B<DER>|B<PEM>]
31 [B<-dkeyform> B<DER>|B<PEM>]
37 [B<-msgfile> I<outfile>]
41 [B<-no_resume_ephemeral>]
44 [B<-http_server_binmode>]
46 [B<-servername_fatal>]
51 [B<-id_prefix> I<val>]
52 [B<-keymatexport> I<val>]
53 [B<-keymatexportlen> I<+int>]
54 [B<-CRLform> B<DER>|B<PEM>]
57 [B<-cert_chain> I<infile>]
58 [B<-dcert_chain> I<infile>]
59 [B<-chainCApath> I<dir>]
60 [B<-verifyCApath> I<dir>]
61 [B<-chainCAstore> I<uri>]
62 [B<-verifyCAstore> I<uri>]
65 [B<-verify_return_error>]
68 [B<-chainCAfile> I<infile>]
69 [B<-verifyCAfile> I<infile>]
74 [B<-status_timeout> I<int>]
75 [B<-status_url> I<val>]
76 [B<-status_file> I<infile>]
79 [B<-security_debug_verbose>]
83 [B<-ssl_config> I<val>]
84 [B<-max_send_frag> I<+int>]
85 [B<-split_send_frag> I<+int>]
86 [B<-max_pipelines> I<+int>]
87 [B<-read_buf> I<+int>]
93 [B<-legacy_renegotiation>]
94 [B<-no_renegotiation>]
95 [B<-legacy_server_connect>]
96 [B<-no_resumption_on_reneg>]
97 [B<-no_legacy_server_connect>]
98 [B<-allow_no_dhe_kex>]
99 [B<-prioritize_chacha>]
102 [B<-client_sigalgs> I<val>]
105 [B<-named_curve> I<val>]
107 [B<-ciphersuites> I<val>]
108 [B<-dhparam> I<infile>]
109 [B<-record_padding> I<val>]
110 [B<-debug_broken_protocol>]
112 [B<-psk_identity> I<val>]
113 [B<-psk_hint> I<val>]
115 [B<-psk_session> I<file>]
116 [B<-srpvfile> I<infile>]
117 [B<-srpuserseed> I<val>]
124 [B<-nextprotoneg> I<val>]
125 [B<-use_srtp> I<val>]
127 [B<-keylogfile> I<outfile>]
128 [B<-recv_max_early_data> I<int>]
129 [B<-max_early_data> I<int>]
135 {- $OpenSSL::safe::opt_name_synopsis -}
136 {- $OpenSSL::safe::opt_version_synopsis -}
137 {- $OpenSSL::safe::opt_v_synopsis -}
138 {- $OpenSSL::safe::opt_s_synopsis -}
139 {- $OpenSSL::safe::opt_x_synopsis -}
140 {- $OpenSSL::safe::opt_trust_synopsis -}
141 {- $OpenSSL::safe::opt_r_synopsis -}
142 {- $OpenSSL::safe::opt_engine_synopsis -}
144 =for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
146 =for openssl ifdef status status_verbose status_timeout status_url status_file
148 =for openssl ifdef psk_hint srpvfile srpuserseed sctp sctp_label_bug
150 =for openssl ifdef sctp sctp_label_bug trace mtu timeout listen
152 =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
156 This command implements a generic SSL/TLS server which
157 listens for connections on a given port using SSL/TLS.
161 In addition to the options below, this command also supports
162 the common and server only options documented
163 L<SSL_CONF_cmd(3)/Supported Command Line Commands>
169 Print out a usage message.
171 =item B<-port> I<+int>
173 The TCP port to listen on for connections. If not specified 4433 is used.
175 =item B<-accept> I<val>
177 The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
179 =item B<-unix> I<val>
181 Unix domain socket to accept on.
193 For -unix, unlink any existing socket first.
195 =item B<-context> I<val>
197 Sets the SSL context id. It can be given any string value. If this option
198 is not present a default value will be used.
200 =item B<-verify> I<int>, B<-Verify> I<int>
202 The verify depth to use. This specifies the maximum length of the
203 client certificate chain and makes the server request a certificate from
204 the client. With the B<-verify> option a certificate is requested but the
205 client does not have to send one, with the B<-Verify> option the client
206 must supply a certificate or an error occurs.
208 If the cipher suite cannot request a client certificate (for example an
209 anonymous cipher suite or PSK) this option has no effect.
211 =item B<-cert> I<infile>
213 The certificate to use, most servers cipher suites require the use of a
214 certificate and some require a certificate with a certain public key type:
215 for example the DSS cipher suites require a certificate containing a DSS
216 (DSA) key. If not specified then the filename F<server.pem> will be used.
220 A file containing trusted certificates to use when attempting to build the
221 client/server certificate chain related to the certificate specified via the
224 =item B<-build_chain>
226 Specify whether the application should build the certificate chain to be
227 provided to the client.
229 =item B<-naccept> I<+int>
231 The server will exit after receiving the specified number of connections,
234 =item B<-serverinfo> I<val>
236 A file containing one or more blocks of PEM data. Each PEM block
237 must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
238 followed by "length" bytes of extension data). If the client sends
239 an empty TLS ClientHello extension matching the type, the corresponding
240 ServerHello extension will be returned.
242 =item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
244 The certificate and CRL format; the default is PEM.
245 See L<openssl(1)/Format Options> for details.
247 =item B<-key> I<infile>
249 The private key to use. If not specified then the certificate file will
252 =item B<-keyform> B<DER>|B<PEM>
254 The key format; the default is B<PEM>.
255 See L<openssl(1)/Format Options> for details.
257 =item B<-pass> I<val>
259 The private key password source.
260 For more information about the format of I<val>,
261 see L<openssl(1)/Pass Phrase Options>.
263 =item B<-dcert> I<infile>, B<-dkey> I<infile>
265 Specify an additional certificate and private key, these behave in the
266 same manner as the B<-cert> and B<-key> options except there is no default
267 if they are not specified (no additional certificate and key is used). As
268 noted above some cipher suites require a certificate containing a key of
269 a certain type. Some cipher suites need a certificate carrying an RSA key
270 and some a DSS (DSA) key. By using RSA and DSS certificates and keys
271 a server can support clients which only support RSA or DSS cipher suites
272 by using an appropriate certificate.
274 =item B<-dcert_chain>
276 A file containing trusted certificates to use when attempting to build the
277 server certificate chain when a certificate specified via the B<-dcert> option
280 =item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
282 The format of the certificate and private key; the default is B<PEM>
283 see L<openssl(1)/Format Options>.
285 =item B<-dpass> I<val>
287 The passphrase for the additional private key.
288 For more information about the format of I<val>,
289 see L<openssl(1)/Pass Phrase Options>.
293 Tests non blocking I/O.
297 This option translated a line feed from the terminal into CR+LF.
301 Print extensive debugging information including a hex dump of all traffic.
305 Show all protocol messages with hex dump.
307 =item B<-msgfile> I<outfile>
309 File to send output of B<-msg> or B<-trace> to, default standard output.
313 Prints the SSL session states.
315 =item B<-chainCApath> I<dir>
317 The directory to use for building the chain provided to the client. This
318 directory must be in "hash format", see L<openssl-verify(1)> for more
321 =item B<-chainCAfile> I<file>
323 A file containing trusted certificates to use when attempting to build the
324 server certificate chain.
326 =item B<-chainCAstore> I<uri>
328 The URI to a store to use for building the chain provided to the client.
329 The URI may indicate a single certificate, as well as a collection of
331 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
332 B<-chainCApath>, depending on if the URI indicates a directory or a
334 See L<ossl_store-file(7)> for more information on the C<file:> scheme.
338 If this option is set then no certificate is used. This restricts the
339 cipher suites available to the anonymous ones (currently just anonymous
344 Inhibit printing of session and certificate information.
346 =item B<-tlsextdebug>
348 Print a hex dump of any TLS extensions received from the server.
352 Sends a status message back to the client when it connects. This includes
353 information about the ciphers used and various session parameters.
354 The output is in HTML format so this option can be used with a web browser.
355 The special URL C</renegcert> turns on client cert validation, and C</reneg>
356 tells the server to request renegotiation.
357 The B<-early_data> option cannot be used with this option.
359 =item B<-WWW>, B<-HTTP>
361 Emulates a simple web server. Pages will be resolved relative to the
362 current directory, for example if the URL C<https://myhost/page.html> is
363 requested the file F<./page.html> will be sent.
364 If the B<-HTTP> flag is used, the files are sent directly, and should contain
365 any HTTP response headers (including status response line).
366 If the B<-WWW> option is used,
367 the response headers are generated by the server, and the file extension is
368 examined to determine the B<Content-Type> header.
369 Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
371 In addition, the special URL C</stats> will return status
372 information like the B<-www> option.
373 Neither of these options can be used in conjunction with B<-early_data>.
375 =item B<-http_server_binmode>
377 When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
378 by the client in binary mode.
380 =item B<-id_prefix> I<val>
382 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
383 for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
384 servers, when each of which might be generating a unique range of session
385 IDs (eg. with a certain prefix).
387 =item B<-verify_return_error>
389 Verification errors normally just print a message but allow the
390 connection to continue, for debugging purposes.
391 If this option is used, then verification errors close the connection.
395 Enables certificate status request support (aka OCSP stapling).
397 =item B<-status_verbose>
399 Enables certificate status request support (aka OCSP stapling) and gives
400 a verbose printout of the OCSP response.
402 =item B<-status_timeout> I<int>
404 Sets the timeout for OCSP response to I<int> seconds.
406 =item B<-status_url> I<val>
408 Sets a fallback responder URL to use if no responder URL is present in the
409 server certificate. Without this option an error is returned if the server
410 certificate does not contain a responder address.
412 =item B<-status_file> I<infile>
414 Overrides any OCSP responder URLs from the certificate and always provides the
415 OCSP Response stored in the file. The file must be in DER format.
419 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
420 with B<enable-ssl-trace> for this option to work.
424 Provide a brief summary of connection parameters instead of the normal verbose
429 Simple test server which just reverses the text received from the client
430 and sends it back to the server. Also sets B<-brief>. Cannot be used in
431 conjunction with B<-early_data>.
435 Switch on asynchronous mode. Cryptographic operations will be performed
436 asynchronously. This will only have an effect if an asynchronous capable engine
437 is also used via the B<-engine> option. For test purposes the dummy async engine
438 (dasync) can be used (if available).
440 =item B<-max_send_frag> I<+int>
442 The maximum size of data fragment to send.
443 See L<SSL_CTX_set_max_send_fragment(3)> for further information.
445 =item B<-split_send_frag> I<+int>
447 The size used to split data for encrypt pipelines. If more data is written in
448 one go than this value then it will be split into multiple pipelines, up to the
449 maximum number of pipelines defined by max_pipelines. This only has an effect if
450 a suitable cipher suite has been negotiated, an engine that supports pipelining
451 has been loaded, and max_pipelines is greater than 1. See
452 L<SSL_CTX_set_split_send_fragment(3)> for further information.
454 =item B<-max_pipelines> I<+int>
456 The maximum number of encrypt/decrypt pipelines to be used. This will only have
457 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
458 engine) and a suitable cipher suite has been negotiated. The default value is 1.
459 See L<SSL_CTX_set_max_pipelines(3)> for further information.
461 =item B<-read_buf> I<+int>
463 The default read buffer size to be used for connections. This will only have an
464 effect if the buffer size is larger than the size that would otherwise be used
465 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
466 further information).
470 There are several known bugs in SSL and TLS implementations. Adding this
471 option enables various workarounds.
475 Disable negotiation of TLS compression.
476 TLS compression is not recommended and is off by default as of
481 Enable negotiation of TLS compression.
482 This option was introduced in OpenSSL 1.1.0.
483 TLS compression is not recommended and is off by default as of
488 Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
489 is negotiated. See B<-num_tickets>.
491 =item B<-num_tickets>
493 Control the number of tickets that will be sent to the client after a full
494 handshake in TLSv1.3. The default number of tickets is 2. This option does not
495 affect the number of tickets sent after a resumption handshake.
499 Use the server's cipher preferences, rather than the client's preferences.
501 =item B<-prioritize_chacha>
503 Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
505 =item B<-no_resumption_on_reneg>
507 Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
509 =item B<-client_sigalgs> I<val>
511 Signature algorithms to support for client certificate authentication
512 (colon-separated list).
514 =item B<-named_curve> I<val>
516 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
517 For a list of all possible curves, use:
519 $ openssl ecparam -list_curves
521 =item B<-cipher> I<val>
523 This allows the list of TLSv1.2 and below ciphersuites used by the server to be
524 modified. This list is combined with any TLSv1.3 ciphersuites that have been
525 configured. When the client sends a list of supported ciphers the first client
526 cipher also included in the server list is used. Because the client specifies
527 the preference order, the order of the server cipherlist is irrelevant. See
528 L<openssl-ciphers(1)> for more information.
530 =item B<-ciphersuites> I<val>
532 This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
533 This list is combined with any TLSv1.2 and below ciphersuites that have been
534 configured. When the client sends a list of supported ciphers the first client
535 cipher also included in the server list is used. Because the client specifies
536 the preference order, the order of the server cipherlist is irrelevant. See
537 L<openssl-ciphers(1)> command for more information. The format for this list is
538 a simple colon (":") separated list of TLSv1.3 ciphersuite names.
540 =item B<-dhparam> I<infile>
542 The DH parameter file to use. The ephemeral DH cipher suites generate keys
543 using a set of DH parameters. If not specified then an attempt is made to
544 load the parameters from the server certificate file.
545 If this fails then a static set of parameters hard coded into this command
550 Turns on non blocking I/O.
552 =item B<-psk_identity> I<val>
554 Expect the client to send PSK identity I<val> when using a PSK
555 cipher suite, and warn if they do not. By default, the expected PSK
556 identity is the string "Client_identity".
558 =item B<-psk_hint> I<val>
560 Use the PSK identity hint I<val> when using a PSK cipher suite.
564 Use the PSK key I<val> when using a PSK cipher suite. The key is
565 given as a hexadecimal number without leading 0x, for example -psk
567 This option must be provided in order to use a PSK cipher.
569 =item B<-psk_session> I<file>
571 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
572 Note that this will only work if TLSv1.3 is negotiated.
576 This option can only be used in conjunction with one of the DTLS options above.
577 With this option, this command will listen on a UDP port for incoming
579 Any ClientHellos that arrive will be checked to see if they have a cookie in
581 Any without a cookie will be responded to with a HelloVerifyRequest.
582 If a ClientHello with a cookie is received then this command will
583 connect to that peer and complete the handshake.
587 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
588 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
589 available where OpenSSL has support for SCTP enabled.
591 =item B<-sctp_label_bug>
593 Use the incorrect behaviour of older OpenSSL implementations when computing
594 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
595 older broken implementations but breaks interoperability with correct
596 implementations. Must be used in conjunction with B<-sctp>. This option is only
597 available where OpenSSL has support for SCTP enabled.
601 If this option is set then no DH parameters will be loaded effectively
602 disabling the ephemeral DH cipher suites.
604 =item B<-alpn> I<val>, B<-nextprotoneg> I<val>
606 These flags enable the Enable the Application-Layer Protocol Negotiation
607 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
608 IETF standard and replaces NPN.
609 The I<val> list is a comma-separated list of supported protocol
610 names. The list should contain the most desirable protocols first.
611 Protocol names are printable ASCII strings, for example "http/1.1" or
613 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
615 =item B<-keylogfile> I<outfile>
617 Appends TLS secrets to the specified keylog file such that external programs
618 (like Wireshark) can decrypt TLS connections.
620 =item B<-max_early_data> I<int>
622 Change the default maximum early data bytes that are specified for new sessions
623 and any incoming early data (when used in conjunction with the B<-early_data>
624 flag). The default value is approximately 16k. The argument must be an integer
625 greater than or equal to 0.
627 =item B<-recv_max_early_data> I<int>
629 Specify the hard limit on the maximum number of early data bytes that will
634 Accept early data where possible. Cannot be used in conjunction with B<-www>,
635 B<-WWW>, B<-HTTP> or B<-rev>.
639 Require TLSv1.3 cookies.
641 =item B<-anti_replay>, B<-no_anti_replay>
643 Switches replay protection on or off, respectively. Replay protection is on by
644 default unless overridden by a configuration file. When it is on, OpenSSL will
645 automatically detect if a session ticket has been used more than once, TLSv1.3
646 has been negotiated, and early data is enabled on the server. A full handshake
647 is forced if a session ticket is used a second or subsequent time. Any early
648 data that was sent will be rejected.
650 {- $OpenSSL::safe::opt_name_item -}
652 {- $OpenSSL::safe::opt_version_item -}
654 {- $OpenSSL::safe::opt_s_item -}
656 {- $OpenSSL::safe::opt_x_item -}
658 {- $OpenSSL::safe::opt_trust_item -}
660 {- $OpenSSL::safe::opt_r_item -}
662 {- $OpenSSL::safe::opt_engine_item -}
664 {- $OpenSSL::safe::opt_v_item -}
666 If the server requests a client certificate, then
667 verification errors are displayed, for debugging, but the command will
668 proceed unless the B<-verify_return_error> option is used.
672 =head1 CONNECTED COMMANDS
674 If a connection request is established with an SSL client and neither the
675 B<-www> nor the B<-WWW> option has been used then normally any data received
676 from the client is displayed and any key presses will be sent to the client.
678 Certain commands are also recognized which perform special operations. These
679 commands are a letter which must appear at the start of a line. They are listed
686 End the current SSL connection but still accept new connections.
690 End the current SSL connection and exit.
694 Renegotiate the SSL session (TLSv1.2 and below only).
698 Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
703 Send some plain text down the underlying TCP connection: this should
704 cause the client to disconnect due to a protocol violation.
708 Print out some session cache status information.
712 Send a key update message to the client (TLSv1.3 only)
716 Send a key update message to the client and request one back (TLSv1.3 only)
720 Send a certificate request to the client (TLSv1.3 only)
726 This command can be used to debug SSL clients. To accept connections
727 from a web browser the command:
729 openssl s_server -accept 443 -www
731 can be used for example.
733 Although specifying an empty list of CAs when requesting a client certificate
734 is strictly speaking a protocol violation, some SSL clients interpret this to
735 mean any CA is acceptable. This is useful for debugging purposes.
737 The session parameters can printed out using the L<openssl-sess_id(1)> command.
741 Because this program has a lot of options and also because some of the
742 techniques used are rather old, the C source for this command is rather
743 hard to read and not a model of how things should be done.
744 A typical SSL server program would be much simpler.
746 The output of common ciphers is wrong: it just gives the list of ciphers that
747 OpenSSL recognizes and the client supports.
749 There should be a way for this command to print out details
750 of any unknown cipher suites a client says it supports.
755 L<openssl-sess_id(1)>,
756 L<openssl-s_client(1)>,
757 L<openssl-ciphers(1)>,
759 L<SSL_CTX_set_max_send_fragment(3)>,
760 L<SSL_CTX_set_split_send_fragment(3)>,
761 L<SSL_CTX_set_max_pipelines(3)>,
762 L<ossl_store-file(7)>
766 The -no_alt_chains option was added in OpenSSL 1.1.0.
769 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
773 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
775 Licensed under the Apache License 2.0 (the "License"). You may not use
776 this file except in compliance with the License. You can obtain a copy
777 in the file LICENSE in the source distribution or at
778 L<https://www.openssl.org/source/license.html>.